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(57) ABSTRACT 

One embodiment of the present invention provides a system 
that performs content screening on a message that is pro- 
tected by end-to-end encryption. The system operates by 
receiving an encrypted message and an encrypted message 
key at a content scree ner from a firewall, the firewall having 
previously received the encrypted message and the 
encrypted message key from a source outside the firewall. 
The content scree ner decrypts the encrypted message key to 
restore the message key, and decrypts the encrypted message 
with the message key to restore the message. Next, the 
content screener screens the message to determine whether 
the message satisfies a screening criterion. If so, the system 
forwards the message to a destination within the firewall in 
a secure manner. In one embodiment of the present 
invention, the system decrypts the encrypted message key 
by sending the encrypted message key to the destination. 
Upon receiving the encrypted message key, the destination 
decrypts the encrypted message key and returns the message 
key to the content screener in a secure manner. 
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CONTENT SCREENING WITH END-TO-END cate with each other. All communications passing through 

ENCRYPTION PRIOR TO REACHING A the tunnel are encrypted using a session key, which is 

DESTINATION negotiated between the processes during initialization of the 

tunnel. 

RELATED APPU CATION 5 In order to perform content screening, existing systems 

The subject matter of this appUcation is related to the «°^yP'^^ "/"^ firewall. His allows the 

subject matter in a co-pending non-provisional applicaUon ^'^"^.f '° Perform the content screening, but it does not 

. . . *u ■ 4 . r j ri 1 provide end-to-end encryption for the communication, 

by the same inventors as the instant appucation and filed on , . ^ 

the same day as the instant application entitled, "Content -^"'ber solution is to perform the content screening after 
Screening with End-to-End Encryption Within a Firewall," ^° » '"^^^g^ « computer system withm the 

having Ser. No. 09/510,912, and filing date Feb. 23, 2000. fi'l'^^all. For example, virus scanners typically operate on a 
The subject matter of this application is also related to the computer system. Performmg content screening on a 

subject matter in another co-pending non-provisional appU- ^hent computer system makes it possible to provide end-to- 
cation by the same inventors as the instant application and encryption However, there are a number of drawbacks 
filed on the same day as the instant application entitled, domg so. (1) Content screeners (such as virus scamiers) 
"Content Screening with End-to-End Encryption," having f^l""-^ "P^f °g more frequently than a chent system 
Ser. No. 09/511,592. and filing date Feb. 23. 2000. ^^^V ^° "P''*'^' (2) Content screeners must often be 

expUcitly activated by a user of the client computer system 

BACKGROUND in order to screen the data. (3) Also, client computer systems 

20 within the firewall may not be completely trusted to enforce 

1. Field of the Invention ^ ^^^^^^^ screening policy. 

The present invention relates to encryption and mecha- Hence, what is needed is a method and an apparatus for 
nisms for screening data. More specifically, the present providing content screening in a system that provides end- 
invention relates to a method and an apparatus for perform- ^q.^qJ encryption without performing the content screening 
ing content screening on data that is protected by end-to-end 25 at a destination computer system, 
encryption. 

o D 1 t ^ SUMMARY 

2. Related Art 

The advent of computer networks has led to an explosion embodiment of the present invention provides a 

in the development of applications, such as electronic mail, system that performs content screening on a message that is 
that facilitate rapid dissemination of information between 30 protected by end-to-end encryption. The system operates by 

computer systems across computer networks. receiving an encrypted message and an encrypted message 

One problem with sending information across computer ' ^"^^"^ scree ner from a firewall, the firewall having 

networks is that it is hard to ensure that sensitive information P^^^iously received the encrypted message and the 

is kept confidential. TOs is because a message containing !?^^P^^^ f ^^^^^ f,^^^^^ ^l*^^^^ ^'r^'^' 

sensitive information can potentially traverse many different ^"[f screener decrypt the encrypted message key to 

1 J j 'cc * * * restore the message key, and decrypts the encrypted message 

computer networks and many different computer systems .... i \ . kt . 

, c . •* u- * J 4- A J With the message key to restore the message. Next, the 

before It arrives at Its ultimate destination. An adversary can ^ ^ ^ . . • u.t. 

, . . n • . i * f«u • 4 r . content screener screens the message to determine whether 

potentially intercept a message at any of these intermediate . . „ ■ % • jc . 

points along the way message satisfies a screenmg criterion. If so, the system 

^ ^ ^ „ „ . . 40 forwards the message to a destination within the firewall in 

One way to remedy this problem is to encrypt sensitive ^ secure manner 

data using an encryption key so that only someone who » u j- * r *u * • *• *t. 

^ J .-1 J . In one embodiment of the present invention, the system 

possesses a correspondmg decryption key can decrypt the , . .u * ^ t u .u 

j./xT..i..r i j decrypts the encrypted message key by sending the 

data. (Note that for commonly used symmetric encryption . j i * j tt • • 

, ^ . . , J . .-I encrypted message key to the destination. Upon receiving 

mechanisms the encryption key and the decryption key are . j i .i_ j *• »• j . .u 

1 \ 1 J- • • J . '*5 the encrypted message key, the destination decrypts the 

the same key.) For example, a person sendme sensitive data , j , . ' i . .u 

^ ^ r » r to . . encrypted message key and returns the message key to the 

across a computer network can encrypt the sensitive data ° » ^ 

1 t_ f ■ • . content screener m a secure manner, 

using the encryption key before It is sent across a computer , , . , . . , 

network. At the other end. the recipient of the data can use '° one embodiment of the present invention, the system 

the corresponding decryption key to decrypt the data. ^^'^ the message by, screenmg the message for a vmis, 
, , , . , r ' t 5" screening the message in order to detect a policy violation 

Another problem with transfernng data across a computer , ^/..^^r.^ a^*^^* 

, , , . , . . , within the message, or screenmg the message to detect 

network is that it is hard to ensure that data which is received • • 

, . . , ^ , , keywords or interest m the message, 

from the computer network is harmless. For example, the . ... . r . • u 

, , . ^ . L- u u In one embodiment of the present invention, the system 

data may contain a computer virus, which can harm a » Lj - ur j. . 

. . *u J « \ ' ' e *u * forwards the message to the destination by: forwarding the 

computer system, or the data may contain information that cc . . • ■ . i j • r 

. I , |. message to the destination m the clear under protection of 

violates a company pohcy. .u n n .u -.u j 

, ^/ . . the firewall; encrypting the message with a destination 

In order to remedy tliis problem, communications enter- ^^j-^ ^ belonging to the destination prior to forwarding 

mg a protected group ofcomputer systems the message; encrypting the message with a secret key 

through a firewall Tins allows the firewall to perform j^^^^ destinaUon prior to forwarding the message; or 

"content screening in order to filter out harmful or forwarding the encrypted message to the destination so that 

unwanted communications from entermg the protected the destination can decrypt the encrypted message with the 

group of computer systems. message key. 

Unfortunately, the use of a firewall can interfere with 
encryption. The most secure method of encryption is "end- BRIEF DESCRIPTION OF THE HGURES 

to-end." End-to-end encryption typically entails setting up 65 FIG. 1 illustrates a system that performs content screening 

an encrypted "tunnel" between processes on different com- within a firewall in accordance with an embodiment of the 

puter systems in order to allow the processes to communi- present invention. 
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FIG, 2 illustrates a system that performs content screening 
within a firewall in more detail in accordance with an 
embodiment of the present invention. 

FIG. 3 illustrates a system that performs content screening 
within a firewall in more detail in accordance with another 
embodiment of the present invention. 

FIG. 4 is a flow chart illustrating the process of perform- 
ing content screening within a firewall in accordance with an 
embodiment of the present invention. 

FIG. 5 is a flow chart illustrating the process of perform- 
ing content screening within a firewall in accordance with 
another embodiment of the present invention. 

FIG. 6 illustrates a system that performs content screening 
after a message reaches its destination in accordance with an 
embodiment of the present invention. 

FIG. 7 is a flow chart illustrating the process of perform- 
ing content screening after a message reaches its destination 
in accordance with an embodiment of the present invention. 

FIG. 8 is a flow chart illustrating the process of perform- 
ing content screening after a message reaches its destination 
in the case where the destination is not trusted in accordance 
with another embodiment of the present invention. 

FIG. 9 illustrates a system that performs content screening 
prior to sending a message to its destination in accordance 
with an embodiment of the present invention. 

FIG, 10 is a flow chart illustrating the process of per- 
forming content screening prior to sending a message to its 
destination in accordance with an embodiment of the present 
invention. 

DETAILED DESCRIPTION 

The following description is presented to enable any 
person skilled in the art to make and use the invention, and 
is provided in the context of a particular application and its 
requirements. Various modifications to the disclosed 
embodiments will be readily apparent to those skilled in the 
art, and the general principles defined herein may be applied 
to other embodiments and applications without departing 
from the spirit and scope of the present invention. Thus, the 
present invention is not intended to be limited to the embodi- 
ments shown, but is to be accorded the widest scope 
consistent with the principles and features disclosed herein. 

The data structures and code described in this detailed 
description are typically stored on a computer readable 
storage medium, which may be any device or medium that 
can store code and/or data for use by a computer system. 
This includes, but is not limited to, magnetic and optical 
storage devices such as disk drives, magnetic tape, CDs 
(compact discs) and DVDs (digital video discs), and com- 
puter instruction signals embodied in a transmission 
medium (with or without a carrier wave upon which the 
signals are modulated). For example, the transmission 
medium may include a communications network, such as 
the Internet. 

Content Screening within a Firewall 

FIG. 1 illustrates a system that performs content screening 
within a firewall in accordance with an embodiment of the 
present invention. The system illustrated in FIG. 1 includes 
source 102, network 104, firewall 106, network 109 and 
destination 110. 

Source 102 can include any node on network 104 that can 
send a message to destination 110. Source 102 can include, 
but is not limited to, a computer system based on a 
microprocessor, a mainframe computer, a digital signal 
processor, a personal organizer, a device controller, and a 
computational engine within an appliance. 
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Source 102 sends a message to destination 110 through 
network 104. Network 104 can include any type of wire or 
wireless communication channel capable of coupling 
together computing nodes. This includes, but is not limited 

5 to, a local area network, a wide area network, or a combi- 
nation of networks. In one embodiment of the present 
invention, network 104 includes the Internet. 

In its journey to destination 110, the message passes 
through firewall 106 and network 109. Firewall 106 insu- 

10 lates nodes on network 109 from communications originat- 
ing from network 104. In doing so, firewaU 106 uses content 
screener 108 to screen messages passing into network 109 to 
ensure that the messages satisfy a screening criterion. This 
can include screening the message for harmful code, such as 

15 a computer virus. It can also include screening the message 
in order to detect a policy violation within the message, such 
as receiving a communication from a non-work-related 
source. It may also include screening the message to delect 
keywords of interest in the message. 

20 Network 109 is a "protected" network that resides on the 
other side of firewall 106 from public network 104. Network 
109 can include any type of wire or wireless communication 
channel capable of coupling together computing nodes. This 
includes, but is not limited to, a local area network, a wide 

25 area network, or a combination of networks. Note that all 
communications from network 104 into network 109 pass 
through firewall 106. In one embodiment, protected network 
109 is a corporate "intranet" that couples together computer 
systems within a business organization, and public network 

30 104 is the Internet. 

After the message passes through network 109, it ulti- 
mately arrives at destination 110. Destination 110 can 
include any type of computer system that can receive a 
message from source 102. This includes, but is not limited 

35 to, a computer system based on a microprocessor, a main- 
frame computer, a digital signal processor, a personal 
organizer, a device controller, and a computational engine 
within an appliance. 

FIG. 2 illustrates a system that performs content screening 

40 within a firewall in more detail in accordance with an 
embodiment of the present invention. Within source 102, 
message 202 is encrypted with message key 204 to produce 
encrypted message 208. Note that message 202 may include 
a single packet, or alternatively a group of packets that 

45 collectively form a single message. 

Message key 204 can include a randomly generated 
session key for encrypting message 202, and can be nego- 
tiated between source 102 and destination 110 at the start of 
a communication session. Security association 210 can also 

50 be negotiated at the same time. Security association 210 
identifies the particular communication session that is pro- 
tected by message key 204 (out of potentially multiple 
communications sessions between source 102 and destina- 
tion 110), Note that message key 204 and security associa- 

55 tion 210 are sent to firewall 106 by either source 102 or 
destination 110. 

Source 102 sends encrypted message 208 and security 
association 210 to firewall 106 en route to destination 110. 
Within firewall 106, security association 210 is used to 

60 lookup message key 204, which is used to decrypt encrypted 
message 208 to restore message 202, 

Message 202 is then scanned by content screener 108 to 
determine whether or not message 202 satisfies a screening 
criterion. In one embodiment of the present invention, this 

65 content screening is performed on-lhe-fiy as encrypted mes- 
sage 208 is being transferred to destination 110. In this 
embodiment, firewall 106 notifies destination 110 that it is 
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safe for destination 110 to process the message if the 
message satisfies the screening criterion. 

In another embodiment, firewall 106 holds onto the 
message, and only sends the message to destination 110 if 
the message satisfies the screening criterion. 

The system can use a number of methods to send the 
message from firewall 106 to destination 110 in a secure 
manner. The system can forward the message to destination 
110 in the clear under protection of firewall 106. The system 
can encrypt the message with a destination public key 
belonging to the destination prior to forwarding the mes- 
sage. (Note that this destination public key is associated with 
a destination private key to form a public key-private key 
pair associated with the destination.) The system can encrypt 
the message with a secret key known to the destination prior 
to forwarding the message. The system can also forward the 
encrypted message to the destination without decrypting the 
encrypted message. In this case, the destination must decrypt 
the message with message key 204 to restore the message. 

FIG. 3 illustrates a system that performs content screening 
within a firewall in more detail in accordance with another 
embodiment of the present invention. In this embodiment, 
source 102 sends a self-contained message, such as an email 
message, to destination 110. In constructing this self- 
contained message, source 102 encrypts message 202 with 
message key 204 to form encrypted message 208. (In this 
case, message key 204 is generated within source 102 and is 
not negotiated between source 102 and destination 110.) 
Source 102 also encrypts message key 204 with destination 
public key 304 to form enaypted message key 306. This 
allows destination 110 to use a corresponding destination 
private key 310 to decrypt encrypted message key 306. 
(Alternatively, source 102 can encrypt message key 204 with 
a symmetric secret key known to destination 110. This 
allows destination 110 to decrypt encrypted message key 
306 using the secret key.) 

Source 102 sends encrypted message 208 and encrypted 
message key 306 to destination 110 through firewall 106. 

Firewall 106 decrypts encrypted message key 306 by 
sending encrypted message key 306 to destination 110. This 
allows destination 110 to decrypt encrypted message key 
306 using private key 310 to restore message key 204, and 
to return message key 204 to firewall 106 in a secure manner. 

Firewall 106 then decrypts encrypted message 208 using 
message key 204 to restore message 202. Message 202 is 
then scanned by content screener 108 to determine whether 
or not message 202 satisfies the screening criterion. If so, 
firewall 106 sends message 202 to destination 110 in a 
secure manner so that destination 110 can process message 
202. 

FIG. 4 is a flow chart illustrating the process of perform- 
ing content screening within a firewall in accordance with 
the embodiment of the present invention illustrated in FIG. 
2. The system starts by negotiating a message key 204 (a 
session key) and a security association 210 between source 
102 and destination 110 (step 402). This negotiation process 
may include authenticating source 102 to destination 110 
and authenticating destination 110 to source 102. The nego- 
tiated message key 204 and security association 210 arc then 
sent to firewall 106 in a secure manner by either source 102 
or destination 110 (step 404). 

In order to send message 202, source 102 then encrypts 
message 202 with message key 204 to form encrypted 
message 208 (step 406). Encrypted message 208 is then sent 
along with security association 210 to firewall 106 (step 
408). 

Firewall 106 uses security association 210 (and possibly 
a source address and a destination address) to look up 
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message key 204 (step 410). Note that there may be multiple 
communication sessions between different processes on 
source 102 and destination 110, and each of these commu- 
nication sessions can be associated with a different message 
5 key 204. Next, firewall 106 uses message key 204 to decrypt 
encrypted message 208 to restore message 202 (step 412). 

Firewall 106 then runs message 202 through content 
screener 108 to determine if message 202 satisfies a screen- 
ing criterion (step 414). If so, the system notifies destination 
110 (step 416). (This presumes that message 202 is already 
in transit to destination 110 and that content screening is 
performed on-the-fly within firewall 106. Hence, firewall 
106 simply has to notify destination 110 that destination 110 
can safely process message 202.) 

Alternatively, firewaU 106 can forward message 202 to 
^5 destination 110 only if message 202 satisfies the screening 
criterion. 

FIG. 5 is a flow chart illustrating the process of perform- 
ing content screening within firewall 106 in accordance with 
the embodiment of the present invention illustrated in FIG. 

20 3. In this embodiment, source 102 generates a message key 
204, and uses message key 204 to encrypt message 202 to 
form encrypted message 208 (step 502). Source 102 also 
encrypts message key 204 with destination public key 304 to 
produce encrypted message key 306 (step 504). Source 102 

25 then sends encrypted message 208 and encrypted message 
key 306 to firewaU 106 (en route to destination 110) (step 
506). 

Firewall 106 decrypts encrypted message key 306 by 
sending encrypted message key 306 to destination 110 (step 

30 508). This allows destination 110 to decrypt encrypted 
message key 306 using destination private key 310 to restore 
message key 204 (step 510), and to return message key 204 
to firewall 106 in a secure manner (step 512). 
Firewall 106 then decrypts encrypted message 208 using 

35 message key 204 to restore message 202 (step 514). Next, 
firewall 106 runs message 202 through content screener 108 
to determine if message 202 satisfies a screening criterion 
(step 516). If message 202 satisfies the screening criterion, 
firewall 106 forwards message 202 to destination 110 in a 

40 secure manner. 

Content Screening after a Message Reaches Its Destination 
FIG. 6 illustrates a system that performs content screening 
after a message reaches its destination in accordance with an 
embodiment of the present invention. As in the embodiment 

45 illustrated in FIG. 1, this embodiment includes source 102, 
network 104, firewall 106 (optional), network 109 and 
destination 110. This embodiment differs from the embodi- 
ment iUustrated in FIG. 1 in that content screener 108 is not 
located within firewall 106. Content screener 108 is instead 

50 located on a different computing node that is in communi- 
cation with destination 110. (Note that content screener 108 
may exist within or outside of the protection of firewall 106.) 
In this embodiment, content screening takes place after the 
message reaches destination 110, not before. 

55 FIG. 7 is a flow chart illustrating the process of perform- 
ing content screening after a message reaches its destination 
in accordance with an embodiment of the present invention. 
In this embodiment, source 102 generates message key 204, 
and uses message key 204 to encrypt message 202 to form 

60 encrypted message 208 (step 702). Source 102 also encrypts 
message key 204 (using either a public key or a secret key 
for destination 110) to produce encrypted message key 306 
(step 704). Source 102 then sends encrypted message 208 
and encrypted message key 306 to destination 110 (step 

65 706). This may involve sending encrypted message 208 and 
encrypted message key 306 through firewall 106, but in this 
case no content screening is performed by firewall 106. 
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Destination 110 decrypts encrypted message key 306 (step 818). Content screener 108 then screens message 202 

(using either a private key or a secret key for destination to determine if message 202 satisfies the screening criterion 

110) to restore message key 204 (step 708). (step 820). 

Next, there are two options. Under a first option, desti- Next there are two options. Under the first option, if the 

nation 110 sends message key 204 and encrypted message 5 message satisfies the screening criterion, content screener 

208 to content screener 108 (step 710). (Note that message 108 sends the message to destination 110 in a secure manner 

key 204 is sent to content screener 108 in a secure manner.) (step 822). 

This enables content screener 108 to decrypt encrypted Under the second option, if the message satisfies the 

message 208 using message key 204 to restore message 202 screening criterion, content screener 108 sends the second 

(step 712). 10 message key 207 to destination 110 in a secure manner (step 

Under the second option, destination 110 decrypts 824). (Note that second message key 207 may be sent in the 

encrypted message 208 using message key 204 to restore clear without compromising security because second mes- 

message 202 (step 718). Destination 110 then sends message sage key 207 cannot be used by itself to decrypt the 

202 to content screener 108 in a secure manner (step 720). twice-encrypted message.) Destination 110 uses second 

However, destination 110 does not process message 202 15 message key 207 to decrypt the twice-encrypted message to 

until content screener 108 informs destination 110 that restore encrypted message 208 (step 826). Next, destination 

message 202 satisfies the screening criterion. 110 uses message key 204 to decrypt encrypted message 208 

When content screener 108 finally obtains message 202, to restore encrypted message 202 (step 828). 

it screens message 202 to determine if message 202 satisfies At this point destination 110 is able to process message 

the screening criterion (step 714). If so, content screener 108 20 202. 

informs destination 110 that message 202 satisfies the Content Screening Prior to Sending a Message to Its Des- 

screening criterion (step 716). This allows destination 110 to tination 

process the message. (Under the first option, destination 110 FIG. 9 illustrates a system that performs content screening 

may have to decrypt encrypted message 208 using message prior to sending a message to its destination in accordance 

key 204 to restore message 202.) 25 with an embodiment of the present invention. As in the 

If Destination Is Not Trusted embodiment illustrated in FIG. 6, this embodiment includes 

FIG. 8 is a flow chart illustrating the process of perform- source 102, network 104, firewall 106, network 109 and 

ing content screening after a message reaches its destination destination 110. This embodiment differs from the embodi- 

in the case where the destination is not trusted in accordance ment illustrated in FIG. 6 in that content screener 108 

with an embodiment of the present invention. In this 30 communicates with firewall 106, instead of communicating 

embodiment, the system forces destination 110 to send with destination 110. In this embodiment, the content 

message 202 to content screener 108 by encrypting message screening takes place before message 202 reaches destina- 

202 so that it can be decrypted using a key known to content tion 110. 

screener 108, but not to destination 110. FIG. 10 is a flow chart illustrating the process of per- 

In this embodiment, source 102 generates a message key 35 forming content screening prior to sending a message to its 

204, and uses message key 204 to encrypt message 202 to destination in accordance with an embodiment of the present 

form encrypted message 208 (step 802). Source 102 also invention. 

encrypts message key 204 (using either a public key or a In this embodiment, source 102 generates a message key 

secret key for destination 110) to produce encrypted mes- 204, and uses message key 204 to encrypt message 202 to 

sage key 306 (step 804). Source 102 then sends encrypted 40 form encrypted message 208 (step 1002). Source 102 also 

message 208 and encrypted message key 306 to destination encrypts message key 204 (using either a public key or a 

110 via firewall 106 (step 806). secret key for destination 110) to produce encrypted mes- 

Firewall 106 intercepts encrypted message 208 and sage key 306 (step 1004). Source 102 then sends encrypted 

encrypted message key 306. Firewall 106 then encrypts message 208 and encrypted message key 306 to destination 

encrypted message 208 with a new second message key 207 45 110 (step 1006). 

to form a twice-encrypted message. Firewall 106 also Firewall 106 forwards encrypted message 208 and 

encrypts the second message key 207 with a key known to encrypted message key 306 to content screener 108 (step 

content screener 108 to form second encrypted message key 1008). Content screener 108 decrypts encrypted message 

307 (step 808). Firewall 106 then sends the twice-encrypted key 306 by sending encrypted message key 306 to destina- 

message along with encrypted message key 306 and second 50 tion 110 (step 1010). Upon receiving encrypted message key 

encrypted message key 307 to destination 110 (step 810). At 306, destination 110 decrypts encrypted message key 306 

this point, destination 110 is unable to encrypt the twice- using its own private key or secret key to restore message 

encrypted message because it lacks the key known to key 204 (step 1012), and then returns message key 204 to 

content screener 108, which is required to decrypt second content screener 108 in a secure manner (step 1014). 

encrypted message key 307. S5 Content screener 108 uses message key 204 to decrypt 

Destination 110 decrypts encrypted message key 306 to encrypted message 208 to restore message 202 (step 1016). 

restore message key 204 (step 812). Destination 110 then Next, content screener 108 screens message 202 to deter- 

sends the twice-encrypted message along with message key mine whether message 202 satisfies the screening criterion 

204 and second encrypted message key 307 to content (step 1018). If message 202 satisfies the screening criterion, 

screener 108 (step 814). Note that message key 204 is sent 60 content screener 108 forwards message 202 to destination 

in a secure manner. 110 in a secure manner. 

Content screener 108 then decrypts second encrypted The foregoing descriptions of embodiments of the inven- 

message key 307 to restore second message key 207, and tion have been presented for purposes of illustration and 

then decrypts the twice-encrypted message using second description only. They are not intended to be exhaustive or 

message key 207 to restore encrypted message 208 (step 65 to limit the invention to the forms disclosed. Accordingly, 

816). Next, content screener 108 decrypts encrypted mes- many modifications and variations will be apparent to prac- 

sage 208 using message key 204 to restore message 202 titioners skilled in the art. Additionally, the above disclosure 
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is not intended to limit the invention. The scope of the 
invention is defined by the appended claims. 
What is claimed is: 

1. A method for performing content screening on a 
message that is protected by end-tc-end encryption, com- 
prising: 

receiving an encrypted message and an encrypted mes- 
sage key at a firewall from a source outside of the 
firewall, the encrypted message having been formed by 
encrypting the message with a message key, the 
encrypted message key having been formed by encrypt- 
ing the message key; 

forwarding the encrypted message and the encrypted 
message key to a content screener, wherein the content 
screener is external to the firewall; and 

allowing the content screener to decrypt the message and 
to screen a decrypted message content to determine 
whether the message satisfies a screening criterion; and 

if the message satisfies the screening criterion, allowing 
the content screener to send the message to a destina- 
tion within the firewall in a secure manner. 

2. The method of claim 1, wherein the content screener 
screens the message by doing one of: 

scanning the message for a virus; 

scanning the message in order to detect a policy violation 

within the message; and 
scanning the message to detect keywords of interest in the 

message. 

3. The method of claim 1, wherein sending the message 
to the destination in the secure manner, includes one of: 

sending the message to the destination in the clear under 
protection of the firewall; 

encrypting the message with a destination pubUc key 
belonging to the destination prior to sending the 
message, the destination public key being associated 
with a destination private key to form a public key- 
private key pair associated with the destination; and 

encrypting the message with a secret key known to the 
destination prior to sending the message. 

4. A method for performing content screening on a 
message that is protected by end-to-end encryption, com- 
prising: 

receiving an encrypted message and an encrypted mes- 
sage key at a content screener from a firewall, the 
firewall having received the encrypted message and the 
encrypted message key from a source outside the 
firewall, the encrypted message having been formed by 
encrypting the message with a message key, the 
encrypted message key having been formed by encrypt- 
ing the message key; 

decrypting the encrypted message key to restore the 
message key; 

decrypting the encrypted message with the message key 
to restore the message; 

screening the message to determine whether the message 
satisfies a screening criterion, wherein screening the 
message includes screening a decrypted message con- 
tent; and 

if the message satisfies the screening criterion, forwarding 
the message to a destination within the firewall in a 
secure manner. 

5. The method of claim 4, wherein decrypting the 
encrypted message key includes: 
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sending the encrypted message key to the destination; 
allowing the destination to decrypt the encrypted message 

key to restore the message key; and 
receiving the message key from the destination in a secure 

manner. 

6. The method of claim 4, wherein screening the message 
includes one of: 

scanning the message for a virus; 

scanning the message in order to detect a policy violation 

within the message; and 
scanning the message to detect keywords of interest in the 

message. 

7. The method of claim 4, wherein forwarding the mes- 
sage to the destination in the secure manner, includes one of: 

forwarding the message to the destination in the clear 
under protection of the firewall; 

encrypting the message with a destination public key 
belonging to the destination prior to forwarding the 
message, the destination public key being associated 
with a destination private key to form a pubUc key- 
private key pair associated with the destination; 

encrypting the message with a secret key known to the 
destination prior to forwarding the message; 

forwarding the encrypted message to the destination so 
that the destination can decrypt the encrypted message 
with the message key. 

8. A computer-readable storage medium storing instmc- 
tions that when executed by a computer cause the computer 
to perform a method for performing content screening on a 
message that is protected by end-to-end encryption, the 
method comprising: 

receiving an encrypted message and an encrypted mes- 
sage key at a firewall from a source outside of the 
firewall, the encrypted message having been formed by 
encrypting the message with a message key, the 
encrypted message key having been formed by encrypt- 
ing the message key; 

forwarding the encrypted message and the encrypted 
message key to a content screener, wherein the content 
screener is external to the firewall; and 

allowing the content screener to decrypt the message and 
to screen a decrypted message content to determine 
whether the message satisfies a screening criterion; and 

if the message satisfies the screening criterion, allowing 
the content screener to send the message to a destina- 
tion within the firewall in a secure manner. 

9. The, computer-readable storage medium of claim 8, 
wherein the content screener screens the message by doing 
one of: 

scanning the message for a virus; 

scanning the message in order to detect a policy violation 

within the message; and 
scanning the message to detect keywords of interest in the 

message. 

10. The computer-readable storage medium of claim 8, 
wherein sending the message to the destination in the secure 
manner, includes one of: 

sending the message to the destination in the clear under 
protection of the firewall; 

encrypting the message with a destination public key 
belonging to the destination prior to sending the 
message, the destination public key being associated 
with a destination private key to form a pubhc key- 
private key pair associated with the destination; and 
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encrypting the message with a secret key known to the 
destination prior to sending the aiessage. 

11. A computer-readable storage medium storing instruc- 
tions that when executed by a method for performing 
content screening on a message that is protected by end-to- 
end encryption, the method comprising: 

receiving an encrypted message and an encrypted mes- 
sage key at a content screener from a firewall, the 
firewall having received the encrypted message and the 
encrypted message key from a source outside the 
firewall, the encrypted message having been formed by 
encrypting the message with a message key, the 
encrypted message key having been formed by encrypt- 
ing the message key; 

decrypting the encrypted message key to restore the 
message key; 

decrypting the encrypted message with the message key 
to restore the message; 

screening the message to determine whether the message 
satisfies a screening criterion, wherein screening the 
message includes screening a decrypted message con- 
tent; and 

if the message satisfies the screening criterion, forwarding 
the message to a destination within the firewall in a 
secure manner. 

12. The computer- read able storage medium of claim 11, 
wherein decrypting the encrypted message key includes: 

sending the encrypted message key to the destination; 
allowing the destination to decrypt the encrypted message 

key to restore the message key; and 
receiving the message key from the destination in a secure 

manner. 

13. The computer-readable storage medium of claim 11, 
wherein screening the message includes one of: 

scanning the message for a virus; 

scanning the message in order to detect a policy violation 

within the message; and 
scanning the message to detect keywords of interest in the 

message. 

14. The computer- readable storage medium of claim 11, 
wherein forwarding the message to the destination in the 
secure manner, includes one of: 

forwarding the message to the destination in the clear 
under protection of the firewall; 

encrypting the message with a destination public key 
belonging to the destination prior to forwarding the 
message, the destination public key being associated 
with a destination private key to form a public key- 
private key pair associated with the destination; 

encrypting the message with a secret key known to the 
destination prior to forwarding the message; 

forwarding the encrypted message to the destination so 
that the destination can decrypt the encrypted message 
with the message key. 

15. An apparatus for performing content screening on a 
message that is protected by end-to-end encryption, com- 
prising: 

a receiving mechanism that receives an encrypted mes- 
sage and an encrypted message key at a firewall from 
a source outside of the firewall, the encrypted message 
having been formed by encrypting the message with a 
message key, the encrypted message key having been 
formed by encrypting the message key; and 

a forwarding mechanism that forwards the encrypted 
message and the encrypted message key to a content 
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screener in order to allow the content screener to 
decrypt the message and to screen a decrypted message 
content to determine whether the message satisfies a 
screening criterion, and if the message satisfies the 
5 screening criterion, to allow the content screener to 
send the message to a destination within the firewall in 
a secure manner, wherein the content screener is exter- 
nal to the firewall. 

16. The apparatus of claim 15, wherein the content 
10 screener screens the message by doing one of: 

scanning the message for a virus; 

scanning the message in order to detect a policy violation 

within the message; and 
scanning the message to detect keywords of interest in the 
"^^ message. 

17. The apparatus of claim 15, wherein sending the 
message to the destination in the secure manner, includes 
one of: 

sending the message to the destination in the clear under 
protection of the firewall; 

encrypting the message with a destination public key 
belonging to the destination prior to sending the 
message, the destination public key being associated 
25 with a destination private key to form a public key- 
private key pair associated with the destination; and 

encrypting the message with a secret key known to the 
destination prior to sending the message. 

18. An apparatus for performing content screening on a 
30 message that is protected by end-to-end encryption, com- 
prising: 

a receiving mechanism that receives an encrypted mes- 
sage and an encrypted message key at a content 
screener from a firewall, the firewall having received 
35 the encrypted message and the encrypted message key 
from a source outside the firewall, the encrypted mes- 
sage having been formed by encrypting the message 
with a message key, the encrypted message key having 
been formed by encrypting the message key; 
^ a decryption mechanism that is configured to, 

decrypt the encrypted message key to restore the mes- 
sage key, and to 
decrypt the encrypted message with the message key to 
restore the message; 
a screening mechanism that is configured to, 
screen the message to determine whether the message 
satisfies a screening criterion, wherein screening the 
message includes screening a decrypted message 
content, and to 
forwarding the message to a destination within the 
firewall in a secure manner, if the message satisfies 
the screening criterion. 

19. The apparatus of claim 18, wherein while decrypting 
the encrypted message key, the decryption mechanism is 
configured to: 

send the encrypted message key to the destination; 
allow the destination to decrypt the encrypted message 

key to restore the message key; and 
go receive the message key from the destination in a secure 

manner. 

20. The apparatus of claim 18, wherein while screening 
the message, the screening mechanism is configured to do 
one of: 

65 scanning the message for a virus; 

scanning the message in order to detect a policy violation 
within the message; and 
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scaaning the message to detect keywords of interest in the 
message. 

21. The apparatus of claim 18, wherein while forwarding 
the message to the destination in the secure manner, the 
screening mechanism is configured to do one of: 5 
forwarding the message to the destination in the clear 

under protection of the firewall; 
encrypting the message with a destination public key 
belonging to the destination prior to forwarding the 
message, the destination public key being associated 
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with a destination private key to form a public key- 
private key pair associated with the destination; 

encrypting the message with a secret key known to the 
destination prior to forwarding the message; 

forwarding the encrypted message to the destination so 
that the destination can decrypt the encrypted message 
with the message key. 

* « * )|C « 
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